Noisy Processing and the Distillation of Private States 
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We provide a simple security proof for prepare & measure quantum key distribution protocols 
employing noisy processing and one-way postprocessing of the key. This is achieved by showing 
that the security of such a protocol is equivalent to that of an associated key distribution protocol 
in which, instead of the usual maximally-entangled states, a more general private state is distilled. 
Besides a more general target state, the usual entanglement distillation tools are employed (in par- 
ticular, Calderbank-Shor-Steane (CSS)-like codes), with the crucial difference that noisy processing 
allows some phase errors to be left uncorrected without compromising the privacy of the key. 



Entanglement has been the cornerstone of many quan- 
tum key distribution (QKD) security proofs to date: A 
prepare & measure protocol by which Alice and Bob 
generate a secret key can be shown to be secure ex- 
actly when an associated entanglement distillation pro- 
tocol succeeds in producing a high fidelity maximally- 
entangled state. Secrecy of the key then follows since 
maximal entanglement can only be shared between two 
parties P, 0, MM 0, S i, The resulting proofs are 
intuitive and allow QKD designers to incorporate current 
methods of quantum error correction and entanglement 
distillation. 

Renner, Gisin, and Kraus adopt a more information- 
theoretic approach to QKD security with the surprising 
result that secure key can be established at noise levels 
beyond what seems possible in the entanglement-based 
picture 0] . By including a step in which Alice adds noise 
to her sifted key the overall key rate can actually increase. 
The additional noise damages the correlations held by 
Alice and Bob but the key observation is that this noise 
may damage Eve's correlations even more. While the 
best known upper bounds for one-way distillable entan- 
glement do not rule out the possiblity of distilling EPR 
pairs for these noise levels, it is puzzling that this pro- 
cessing can generate key at rates well in excess of the 
best known entanglement distillation rates Thus, it 
has been unclear whether an entanglement-based security 
proof is possible for these protocols. 

We find a resolution in the observation of that 
maximally- entangled states are not strictly necessary for 
generating secret keys. Instead, states leading to secret 
keys belong to the class of private states. These are com- 
posed of completely correlated systems A and B contain- 
ing a uniformly distributed key, along with shield systems 
A' and B'. More precisely, 7 is called a d-dimensional pri- 
vate state (or pdit) if there are unitaries and a twist- 
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A'B'^ 

PA' B') Untwist for some 



ing operator of the form J/twist 
such that 7 = C/twist {\^d}{^d\AB < 
PA'B', where = J2i=i \ii}/Vd- The twisting oper- 
ator ensures that, while Alice and Bob may not share 
a maximally entangled state, Eve's reduced state is in- 



dependent of the key. This definition recalls an earlier 
result that the secrecy of key created from entangled 
systems is not diminished by phase noise in the devices 
performing the entanglement distillation. 
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FIG. 1: The effective state held by Alice, Bob, and Eve af- 
ter noisy processing, where I^p,) = \/T— glO)+^| 1) , \r]uv) = 
V \/Puv\uv) and A' is the purification of the noise Alice 
adds. CSS-like error correction on the AB system is equiva- 
lent to classical error correction and privacy amplification on 
the key in the prepare & measure protocol, and securely pro- 
vides key exactly when it maps many copies of the above state 
to a high-fidelity private state for all puv consistent with the 
estimated parameters. The shield consists of the A' systems 
together with the CSS code's syndrome bits held by Bob. 

In it was shown that a large number of low fi- 
delity copies of a private state can sometimes be distilled 
to a high fidelity private state with the same shield but 
smaller key system. However, it is not clear what class 
of QKD protocols can be coherently recast in the form 
considered by |14l |. As we will see, the coherent version 
of Q's protocol is quite different from those of [3l — the 
initial adversarially distributed state will be noisy EPR 
pairs (with no shield), and the shield of the final private 
state arises due to Alice and Bob's noisy processing. 

In the following, we show that a prepare & measure 
QKD scheme with noisy processing and one-way post- 
processing is secure exactly when an associated pdit dis- 
tillation protocol has high fidelity. This requires only 
minor modifications of the standard entanglement distil- 
lation argument. Indeed, in the coherent description of 
the noisy processing protocol the auxiliary system purify- 
ing the noise introduced by Alice will function as a shield. 
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and the sifted key will become noisy EPR pairs in the key 
system of a noisy pdit. The error correction and privacy 
amplification required in the classical processing maps to 
a CSS-likc quantum code on the key system in the co- 
herent protocol in the same way as found in (3]. If the 
CSS code performs a suitable amount of bit and phase 
error correction on the key system, Alice and Bob will be 
left with a high fidelity private state. The crucial differ- 
ence from previous entanglement-based security proofs is 
that Alice and Bob need not correct every phase error to 
guarantee security, and this savings will often more than 
compensate for the associated increase in the number of 
bit errors they must correct. In fact, we can establish key 
at bit error rates up to 12.4% for the Bennctt-Brassard-84 
(BB84) protocol [ll| and 14.1% for the six-state proto- 
col, matching the rates of and surpassing all previous 
thresholds from entanglement-based proofs. 

Private State Distillation. — We begin with a coherent 
reformulation of the BB84 and six-state protocols [l | ; 
other protocols can be handled in a similar manner IC | . 
In both cases, Alice first prepares the state |$)ab and 
sends the B system to Bob. In BB84 (six-state), each 
party then randomly measures in the X or Z basis {X, 
Y, or Z) and by public discussion they sift out those out- 
comes corresponding to the same basis choice. This is 
equivalent to Alice (Bob) sending a random bit in (mea- 
suring in) one of the bases at random, since the statistics 
of measurements as well as an eavesdropper Eve's de- 
pendence on their outcomes are identical in both cases. 
Alice and Bob then publicly compare a small fraction of 
the sifted key to estimate the noise level of the channel. 

If the noise level is zero, the resulting length-n sifted 
key can be described coherently as |$)®". Otherwise, 
the most general noisy channels we need to consider are 
Pauli channels, since all subsequent operations will com- 
mute with a (hypothetical) measurement in the Bell-basis 
which digitizes the actual noise into this form [l], 0] . The 
only difference here to the original classicization argu- 
ment of Lo and Chau is that Alice flips some key bits, 
which also commutes with the Bell-state measurement. 
Attributing the noise to Eve, the key state is 

(lA®X^ZimTB\n)EA^)E,, (1) 



where puv is the probability of error pattern de- 
scribed by length-7z bit strings u and v. Furthermore, 
if Alice and Bob randomly permute their n systems, it 
is sufficient to consider noise that is independent and 
identically-distributed (i.i.d) for each transmitted qubit, 
given by rate This follows from a slight variant of 
Lemma 3 of Q (see also 0, Q ) i the particulars of which 
we take up after the detailed analysis of the next section. 

Alice and Bob now distill the key by performing bit 
error-correction and privacy amplification (phase error- 
correction). Before this, Alice adds i.i.d. noise to A, 



randomly applying X at rate q. This is described co- 
herently as using an auxiliary system A' in the state 
If) A' = \/l — q\0)+y/q\l) as the control system in a 
CNOT gate, yielding the state 



x^zimTB\u)EA^)E.., (2) 



where qf ~ q^^^{l — (7)"^'^' for Icngth-n bit string f and 
|f| its Hamming weight. We can also think of Alice's 
error operator acting on Bob's system, since X (X) XZ 
and I (E) XZX have the same effect on |$). 

Now Alice and Bob perform bit error-correction using a 
linear error correcting code. This step is the same as the 
usual analysis, since all bit errors must be corrected in 
the final key. The bit error rate isp = px{l~q) + q{l—px) 
for px = X^t) P^,v^ so Alice and Bob must measure nH2{p) 
parity syndromes, where H2 is the binary Shannon en- 
tropy, in order to identify the error pattern with high 
probability. To simplify the resulting expressions, we use 
the method of decoupling error correction and privacy 
amplification [3| , itself based on the breeding entangle- 
ment distillation protocol [l3|, whereby syndromes are 
collected in auxiliary entangled pairs. 

Alice collects the bit parities in her halves of the ancilla 
states, measures them, and sends the result to Bob. Bob 
then coherently corrects system B and records the error 
in an ancilla system B\ producing 
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Zl,\i)A'\n + ^)b'ZI\^)Tb\^)e, W)e. , (3) 



where Z'^, comes from interchanging Xg and Zg. 

In the classical description of the protocol, this step re- 
quires Alice to encrypt her measurement outcomes with 
a one-time pad, preventing information leakage to Eve. 
This encryption requires a key, which in the coherent de- 
scription is a private state, meaning Alice and Bob gen- 
erally collect the parity syndromes in the key subsystems 
of private states, not in maximally-entangled states as we 
have used. However, there is no loss of generality in using 
maximally- entangled states in the formalism, since using 
private states raises no additional complications 14 , . 

At this stage, the normal entanglement-based proof 
would proceed to correct all phase errors. This would 
not give the key rates of as the extra noise would just 
reduce the rates from those of [1]. Instead, we come to 
the main observation of this paper: not all phase errors 
must be corrected. After correcting enough, the resulting 
state will be close to a private state. 

Examining Alice and Bob's state makes clear how this 
comes about. Tracing out Eve's systems, they hold 



(4) 
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where [e] = I^X^I, Iv?^) = and we have used a 

CNOT Ca'B' to write \{)a'\u+{)b' as CA'B'\i)A'\u)B'. 

By performing phase error correction at a reduced rate, 
the pattern of phase errors will not be uniquely identified, 
but only narrowed to a set Vg indexed by the syndrome 
s: Vg = {v I syndrome(v) = s}. The key point is that if 
the vectors \ip^) for v e Vg were mutually orthogonal, we 
could define the unitary Da'b = SveVs t'''^]^' ^^"^ 
use Uba'B' = Da'bCa'B' to untwist: 

p' = Uba'B'PU^a'B' 

= [<i>]!S®(E?'"M^' E^^viub^A'). (5) 

Since 13 is a controUed-Z gate, either system can be 
thought of as the control, so Da'b = X]j ® ^o^' 
some unitaries U'^^\ Uba'B' is a twisting operation, so 
that Alice and Bob would share a private state. Keys 
derived from this state would be secret. 

Detailed Analysis. — To establish the secrecy of keys 
generated from p, recall the univerally-composable defini- 
tion of security from [3, HOl ■ A key K is called e-securc 
if the state pke of the key and eavesdropper satisfies 
llp/fB ~ K ® pe\\i < 2e, where k is a uniform mixture of 
all key values, shared by Alice and Bob. The latter state 
is a perfect key and this definition ensures that pK e can 
safely be used for any further cryptographic purpose. 

In the present context, the key is created by measuring 
systems A and B oi p in the Z basis. As the untwist- 
ing operation is unitary and commutes with the measure- 
ment, whether it is performed before the measurement or 
after does not affect the key's security. When perform- 
ing the untwisting operation on the unmeasured state 
results in a maximally- entangled state on AB, the key 
generated will be perfectly secure. Similarly, if there is 
an untwisting operation mapping AB to within 2e of a 
maximally- entangled state, the key is e-secure [l^ . 

For simplicity we consider independent amplitude and 
phase errors, with the case of correlated u and v follow- 
ing along similar lines. To construct an untwisting oper- 
ation, it suffices to find a rank-one POVM with elements 
that can distinguish the \ lp^) with average error no 
larger than eV2: = (P-) = T..,.'^.pAv^\E.'W^) < 
where P^ is probabihty of decoding input state \ip^) 
incorrectly. This problem was considered by (2]| in the 
context of transmitting classical information over a quan- 
tum channel. Letting cr = (1 — pz)\ip){(p\ + pzZ\ip){ip\Z , 
Pz = '^.i^Puii and S{a) be the entropy of cr, their results 
imply that with probability 1 — e^/2, the elements of a 
randomly-chosen subset Vg C V of size 2"''^''^)"*^ can be 
distinguished by the pretty-good measurement (PGM) 
with average error probability e^/2, where e decreases 
exponentially with n for arbitrarily small positive d. 

The PGM has rank-one elements by construction [2^ . 
so we have — \9^)(9^\ for unnormahzed \9^). Then 



we can append another auxiliary system A" and con- 
sider the Neumark extension consisting of orthonormal 
states \0^)a'A" in the joint Hilbert space A'A" such 

that a'A"{0^\^^')a'\0)a" = A'(e^\'P^}A' M- With 
this, we can finally construct the untwisting operator 

u = (j:.[nA'A"®zi)c\,g,. 

Letting p |0)(0| ® p, the fidelity of UpW with 
p' ^ [$]®^ (g, Eu,vPu,v[0"]a^A" (® [u]b' is given by 

F(UpUlp')= Eu.vPuvKv'^l^")! = (\/^), where P^ 
is the conditional probability of successful transmission 
of V. Since {^/Pf ) > (P^) = I - Pe > 1 - ei/2, using 



the relation between trace norm and fidelity 2J| , we find 
\\UpW - p'Wi < 2y/l - < 2e, proving e-security. 

A subtlety arises in the use of the Neumark extension 
in that our untwisting operation consists of controlled 
isometrics rather than unitaries. However, the privacy of 
the key is uncompromised: while Eve may have knowl- 
edge of the shield system, as long as Alice and Bob hold 
the key and shield, the fact that they could be untwisted 
implies that Eve is ignorant of the key. 

Above, we took u and v to be independent. If they are 
not, randomly choosing sets Vg of size 2"('^('^l")~*), where 
S{a\u) is the conditional entropy of a given u, leads to 
an exponentially small average probability of decoding 
error for the PGM, and the rest of the argument remains 
unchanged^. Putting this all together, by using a ran- 
dom code Alice and Bob can select a subset Vs of size 
« 2"^'^'^!"^. With probability exponentially close to one, 
the untwisting operation can be constructed from the 
pretty-good measurement, ensuring the key is e-secure. 

Finally, we must consider the effects of non-i.i.d. noise, 
e.g. arising from a coherent eavesdropping attack. By 
random sampling Alice and Bob obtain an estimate f°^l 
of the fraction, or type, of Pauli errors X"Z^ . Since the 
raw key bits are permutation- invariant, 1/^^'—/^™''! < £ 
with probability exponentially close (in n) to unity [25| . 
This allows us to prove that the above procedure is 
secure for any input state yielding estimate not 
just those subjected to i.i.d. noise. First decompose 
the squared fidelity for an i.i.d. input state with er- 
ror rate Pu.v =/°\', into a sum over possible types /: 
F^ = J2f Wohif\p=r^^)Ff, where prob(/|p=/'="') is the 
probability of type / in the i.i.d. distribution, Ff is the 
fidelity our protocol produces on a uniform distribution 
over errors of type /, and we have suppressed the m, v 
indices. Since there arc only polynomially many types, 
all those with nonnegligible probability must have poly- 
nomially large probability and thus corresponding fideli- 
ties Ff which are exponentially close to one. Since types 
within e of the rate p are among the probable types [26| , 
this guarantees that the above procedure produces high- 
fidelity entangled output states (or securely aborts) for 
any input state yielding f°^*^. 

Achievable Key Rates. — What key generation rates can 
be achieved by the protocols considered above? The 
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bit-error correction step consumes nH2{p) previously- 
established secret key bits, but in so doing produces n 
bit-error-free bits. The phase error correction must re- 
duce the number of phase errors from 2"^(''l") to 2"'^('^l") 
(which can be accomplished by a random phase code with 
n{H(v\u) — S{a\u)) syndrome bits) in order to ensure 
that Alice and Bob could untwist the state, so we find an 
overall rate of 1 — H2{p) — {H{v\u) — S{a\u)), or 

R=l- H2{p) - Y^Pu {H2{pi\u) - ff2(A+)) , (6) 

U 

where A+ i(l + ^1 - 16g(l - q)pi\u{^ - Pi\u)) is the 
larger eigenvalue of (t„ = {I - pi\u)\'p){'p\ + Pi\uZ\'p){'p\Z . 

In the BB84 protocol, bit and phase errors arc equal 
but uncorrelatcd, meaning px|m = Pz = Px = Pi\vi from 
which we find an error threshold of 12.4% by letting q 
1/2. In the six-state protocol all Pauli errors occur at 
the same rate, giving a threshold error rate of 14.1%. 

Discussion — We have shown that one-way key distri- 
bution protocols employing noisy processing can be seen 
as distillation protocols for private states where the pu- 
rification of the added noise functions as part of the shield 
and the error correction and privacy amplification steps 
map to a CSS code in the usual way. This extends the en- 
tanglement distillation paradigm initiated in [H, 0] , pro- 
viding a cleaner and less technical security proof for the 
protocols of 0. Further, by formulating the protocol in 
this way, we gain insight into the mechanism by which 
addition of noise improves key rates, namely by deflect- 
ing Eve's correlations with Alice and Bob to the shield 
and away from the key. 

In the security proof of the six-state protocol 
building on the work of [l^], Lo showed that a degen- 
erate error-correcting code could be used to improve 
the threshold error rate from 12.6% to 12.7%. Further 
progress in this direction can be found in psj , where we 
report on the combination of that method with the noisy 
processing studied here, showing that the threshold error 
rate of BB84 can be increased from 12.4% to 12.9%. We 
believe our findings will point towards new methods of 
key distillation and analagous methods of private state 
distillation, furthering the fruitful exchange between pri- 
vacy amplification and entanglement distillation. 
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